View Single Post
  #5  
Old 4th April 2010, 23:28
awe awe is offline
Junior Member
 
Join Date: May 2009
Location: Tossa de Mar (Girona) Spain
Posts: 17
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Hello again,

Just a few doubts now.
Code:
Fri Apr 2 19:42:33 2010 : Debug: sql {
Fri Apr 2 19:42:33 2010 : Debug: driver = "rlm_sql_mysql"
Fri Apr 2 19:42:33 2010 : Debug: server = "localhost"
Fri Apr 2 19:42:33 2010 : Debug: port = ""
I imagine that not specifying the port number results in freeradius using the default... or not? Can freeradius really access the database engine?

Now another doubt.
Code:
Fri Apr 2 19:42:33 2010 : Debug: nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
Fri Apr 2 19:42:33 2010 : Debug: authorize_check_query = ""
Fri Apr 2 19:42:33 2010 : Debug: authorize_group_check_query = ""
Fri Apr 2 19:42:33 2010 : Debug: authorize_group_reply_query = ""
Well, the query that does the checking for determining authorisation is authorize_check_query. Or at least it works like this on my system. In your case it's an empty string "". I think that you should populate authorize_check_query with a valid SQL query, and then populate the "radcheck" table with usernames, the field Attribute always containing the string "Password", the field op containing "==" (it's the operand), and the field Value containing the password itself (because the attribute is password).

The structure of my radcheck table is the following:
Code:
+-----------+------------------+------+-----+---------+----------------+
| Field     | Type             | Null | Key | Default | Extra          |
+-----------+------------------+------+-----+---------+----------------+
| id        | int(11) unsigned | NO   | PRI | NULL    | auto_increment | 
| UserName  | varchar(64)      | NO   | MUL |         |                | 
| Attribute | varchar(32)      | NO   |     |         |                | 
| op        | char(2)          | NO   |     | ==      |                | 
| Value     | varchar(253)     | NO   |     |         |                | 
+-----------+------------------+------+-----+---------+----------------+
Example:
Code:
+----+----------+-----------+----+-------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+-------+
|  1 | Mike     | Password  | == | m1k3  | 
+----+----------+-----------+----+-------+
Then the query would be:
Code:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{User-Name}' ORDER BY id"
which is the standard query. In order to add or remove users simply edit the radcheck table. By the way, you use ${User-Name}, I use ${SQL-User-Name} instead, I suppose your syntax will be ok. In my case, the sql.conf file states that when you use ${SQL-User-Name} you ensure that the user name is correctly escaped and contains no characters that can ruin the SQL query.

You can actually check across different tables, but for debugging purposes what I suggest is the starting point. Once that is working you can start refining your query.

On my system, if you do what I am telling you, it should work. If you follow my suggestion then try the following command (you must be logged into the server locally or by SSH):
Code:
sudo radtest "Mike" m1k3 127.0.0.1 0 [your radius password]
and it should return an Access-Accept. Don't forget the "0" between the IP address and the radius password, I tend to forget it, it gives a syntax error and I have to retype -I hate it when it happens-.

Hope this helped.

Last edited by awe; 4th April 2010 at 23:30.
Reply With Quote